risepro | 0843057d10b0d3c78a3faee8534134a4433596b806ad8c5b0cba9ef9cbec013c

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
Size

4.3MB
MD5

8b57404c159736a24f6f87a8a1062d4f
SHA1

2f22e1f2be6f60f07848e1f32722b075fe82fd06
SHA256

0843057d10b0d3c78a3faee8534134a4433596b806ad8c5b0cba9ef9cbec013c
SHA512

2cfb53c62e0c0291ee3d9a8f02ad0a99471f0c0cd587fd4c917561733b1d99c48d646258496cb2a74ad670301c8cd6f8ba65ea5a676dd9265c7ced98b0c59179
SSDEEP

49152:6ZRGPuGTHRe11vKzNaFCPcFxtxJzgZKUxT2BHHF6c9OtutAC8HNUPCAaq8Wdo0:6ZQ3HRe11SzoFrFxlgDx2B98t4C7

Score

10^/10

risepro discovery spyware stealer

Malware Config

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Executes dropped EXE 22 IoCs

pid	Process
916	alg.exe
2976	DiagnosticsHub.StandardCollector.Service.exe
2800	fxssvc.exe
1696	elevation_service.exe
4308	elevation_service.exe
1788	maintenanceservice.exe
2296	msdtc.exe
3416	OSE.EXE
2768	PerceptionSimulationService.exe
2032	perfhost.exe
4136	locator.exe
4948	SensorDataService.exe
868	snmptrap.exe
4804	spectrum.exe
4628	ssh-agent.exe
3248	TieringEngineService.exe
4552	AgentService.exe
4408	vds.exe
2948	vssvc.exe
3528	wbengine.exe
2180	WmiApSrv.exe
4012	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9d431fab85dff9a7.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95953\javaws.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048feed7d59ccda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a214fe7b59ccda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee14df7b59ccda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008bed9c7d59ccda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009352bb7b59ccda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029f33f7d59ccda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082e0677b59ccda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad9fc97b59ccda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008828f27b59ccda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003384357e59ccda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
Token: SeAuditPrivilege	2800	fxssvc.exe
Token: SeRestorePrivilege	3248	TieringEngineService.exe
Token: SeManageVolumePrivilege	3248	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4552	AgentService.exe
Token: SeBackupPrivilege	2948	vssvc.exe
Token: SeRestorePrivilege	2948	vssvc.exe
Token: SeAuditPrivilege	2948	vssvc.exe
Token: SeBackupPrivilege	3528	wbengine.exe
Token: SeRestorePrivilege	3528	wbengine.exe
Token: SeSecurityPrivilege	3528	wbengine.exe
Token: 33	4012	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeDebugPrivilege	4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
Token: SeDebugPrivilege	4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
Token: SeDebugPrivilege	4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
Token: SeDebugPrivilege	4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
Token: SeDebugPrivilege	4968	2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
Token: SeDebugPrivilege	916	alg.exe
Token: SeDebugPrivilege	916	alg.exe
Token: SeDebugPrivilege	916	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 5404	4012	SearchIndexer.exe	120
PID 4012 wrote to memory of 5404	4012	SearchIndexer.exe	120
PID 4012 wrote to memory of 5428	4012	SearchIndexer.exe	121
PID 4012 wrote to memory of 5428	4012	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-02_8b57404c159736a24f6f87a8a1062d4f_magniber_revil.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4780

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4308

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1788

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2296

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3416

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2768

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4136

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4948

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:868

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4804

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4628

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:408

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4084,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:8
1⤵
PID:4420

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2180

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5404
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

Filesize
1.7MB

MD5
d0b12fe032e9402fbf11861b66aee8a6

SHA1
26a193183f4d2a9eb7673aaf0f38260fa2f172a1

SHA256
4e50f45f34de2c65ed7b44ef2a67641d1318c4dc4dc3e7e540fafef227c60de7

SHA512
92ef45b44b2f9d375b980d7d07e8a1c5ed52573a2e097742cb10371929860c2c1e6fcb1fa847468e4604aa4441410c7f9ce67bd2c969d7535d29be930ac649e7

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

Filesize
1.0MB

MD5
fa3a7bbb2fcce7b3e2a12305f5394bc0

SHA1
b48af10a30e9f54dcf7532ea5beaa9357145ae98

SHA256
4d43f419d6db0bd68a86bab1c1368cb199815582bf4f0e593e96c4d52c8dcde0

SHA512
b45dec5eb3b1d439880dc3ea8beaacb24eafb5c1230416fe5de1f3a7d556604cfd8c95000b1b8a0cc960fbaa4505485464003ee79dc1f8fd84086cc2ff062801

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

Filesize
1.3MB

MD5
f91ee2490b5d209fc223d685f61475c9

SHA1
eed40154675ee3c8af1a228bfdfa78a00843f50c

SHA256
33ba5c8c0f3476098b00df7f64a043a7117df2d770be27c5726bb6c9a3c5d009

SHA512
2e8f689d3de9d9bccc8e29cc57c1486f6769fb57cc9cfd68dd9dacc4d4d86885757b3954bec7cc43a27a7b89a98e5d727aa08a983f45da690c47a7ec3b5e700d

Download Submit
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

Filesize
841KB

MD5
029ded8fbec5e9fc81d7a2cade57326f

SHA1
8e08a7ee1eae076aeec92bc8e534e318aa15b1e2

SHA256
28d105836eca5c8ccc5db7822631bd2756cb9727e612a06d6a9bded2ec5beae3

SHA512
5ee7c70bb830bfdfe1408b3a36a76b7fde02d626fca151d63d21e4a3e9f858403e1a2427b4ca753fdad8ffd56e3fc96bcdc78ebdade165e4d5132e101c079344

Download Submit
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe

Filesize
841KB

MD5
12168f13a6ac48eca34623c33a25e1f1

SHA1
2d829ac3fd95faf4a9faeec6848a1bfde6482a87

SHA256
ac62ada4e8bc9dd4cf2a83b7d1ee2b0759c1c5b2e40bda45e27410586f9f81e6

SHA512
b1b94e0a406de324b2329b8fb5e0294b9c9e045a8d03dc1ca22a6877dcf14d62a6758536f94de1832ad9bdbc23c7ef0bdccd0f788a461fc648f45dd757771ff7

Download Submit
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe

Filesize
1020KB

MD5
da7e3019fd8b8b6fa5571549a2d89426

SHA1
5eeedf74be15c883ea115e4b1614f839c0da6f76

SHA256
c241a36db8c40431dd1609753b68ad3ae6d9157656e6d244a3b543bde1293a6f

SHA512
40b401e0bec58b1d642e811911132f8d12970e00174032c0289b7eacb0787601b1669e43e809630fc4ff1d7b4b9f0355a747d5032f8acf037c55d33b102decdc

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe

Filesize
848KB

MD5
4adbfa697060784de3232b7d5cee4cbb

SHA1
6c6fd62df7ce8cc342be3527eeb89911ef1df1a5

SHA256
1e062578c230776c6134e46504f75104b96394e1f2ca489f2dcd15f9cf590b85

SHA512
3506202d76de390ea4877c801498b98edd2919a135709a738bee27e77cbe74b507d7c912ad96cf1f5c7df5b9267c36f8f3614ffe2f4884a128c981ec9790588b

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe

Filesize
947KB

MD5
78c9bd5a13d8cf7b5120a5001ec0b7d6

SHA1
c3dd90ee2a942856f77274416048c00fa9c00013

SHA256
64d9cd8401ca79e82685bbfc65103313f467fe823b1db7c82f712cb24a21e96c

SHA512
3042e3ac9f699c0edb676460c4b8d571e10b9a0e45775c52f673ef35053b104b724fd8d1144def25e6f032850c0f8dfd5540e04152d81b31836375bc95c2e45c

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe

Filesize
716KB

MD5
16bea3ebbfdf9e3ab20feaaf8ccf9b25

SHA1
fce56cf3d75f58830efb9d57666235b029ab04a7

SHA256
7075290a247088e26fdee86012e9de71d1ad5622a1a9935d043641cb2f4ed548

SHA512
a4036a093b1d19085cc22e9db236788df45799a8d914a167b12eee9a49cd83777614208fec15f2a16ec5520d933106a9e1a00529a475fe343de11cf0e1d073c5

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe

Filesize
736KB

MD5
51b2e630ff6c654b1ca98ae5723da6b6

SHA1
ebe395a1e6f09d023bcca525b4f38a07b19b4f6b

SHA256
2477eb4ec330093c72d71fd3e360fdbf93976c77a10bf8f0511c8d27c80c588f

SHA512
2389e733441c482248eaf97cbc357b57351a70ab9ced398ec902a2c029a0e6a257fc7a362776cfd3ac5e0caad5fe3e930a0f1c1cf015972dd1e504550be056eb

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe

Filesize
2.4MB

MD5
002a5f647dfbf9b03d4bde68686c2fb1

SHA1
63cc3d9d228dce000c799c650885e15ebf67c550

SHA256
70926822a199d6fc67f2170a1bb9c9c0eed9c9df38e2fd799d9d89c5f423684f

SHA512
5ca8e70cb782498d33497d407611bd0c1e8fbaccaaaa869aba6176ed02aabb9a8b2e7bbb3841d56b64240a8949a804c94c52be118a60c30750f2f5c338fd1f75

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
c7637e6b6b9773af0a0e30de1baae2e0

SHA1
4638251e38aa0d2def3c16fb8d9b7035c2a25b52

SHA256
fa0ebf4088b3d89c6ab8e42d47d4f611b315d6de0fb7861bc05320ffe63c163a

SHA512
2a095ab6d282a909fa868be7ebda4d7508e68cf5a6f836e33b9a8b78e2cdffe8340832e00125373bf1e73d56be9b1ebc2e875f3cd06c14132b5d378cb955d5f8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
b4f4e60b1c9b217434c7cfd463d010f5

SHA1
9697106a180a9d0db40e5683a4127eeb9b0712d7

SHA256
938a55d3ff7a223e59638f4b568310a834a9ba66022a60dc17e299d5b4dc1b0e

SHA512
be8141399f298418c7571b7eec8beab3686075b55f5237854d4127ab93670fc4e91e897bacebfe26c6342f3c574ab6804049d234314b85d7333be65e6c10aca8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e28169dfaac98266b4acfe2ad389caee

SHA1
53625db8582c5fde9343655ac3e05c33ba9cc0c2

SHA256
0d63290cb087de215a87b55b323ca0fb9dc74830f188454c7b589865b657f66f

SHA512
2806f6db10f3d5c36c2ed007f6c416cf9aea02019d55518cbce1eb2f7663f2f6195160cfe2ea60180583edaf1acb3014489833a54828e55da52b6a1c918151d1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2560092139af4d23a235e8921dcbf408

SHA1
10ace7e4d868132ebbf1c45cde744e70ed248ee3

SHA256
bea2da4fd788c3c8cb1af83ae6e7ed97bee1df0a184c177bccd9dc6b83df31f8

SHA512
fe7fde4489fb1a20f297ae60f807561c23cb3c3bd196c2454b207aeed40435993b41844dd2c336ddae105a5c7cf5da52c611adb12d922151b05ebbe0a6e1e531

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
37abedb0ef8ea1e6329393cef7a5363b

SHA1
5ddaae095302947b2065dac939583fa885252603

SHA256
0ddbeeda2c1994ad4c6148f810696da636a5c9eb89f8e7ed9887aa2af583f61d

SHA512
a3497f3c5d0e4c1a9b921da9812b535de76ce06fdeb9107ca15381e176f35c25bf3c1040c0e49a5d6d44bbf234a525d738d3455ca11a12beff84b5aed7867d76

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f62e95117d042ca2200b32b3e2e4a5de

SHA1
20d08034ffb62e36c2a45f83e04d9f378a61ee89

SHA256
a6b133c39dfd6ab2f7f845169c40a79d702bafab709b7d7ddf726d6ce89d5ded

SHA512
4964636996b1eec104af7e6d7a971ca1f2f2d1fffa6cfd063cf8b1da20adaf9161a340229a773e7960ac343f704608c47a48df527d48cf806c5e0cbb1740c53a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
1a083b424c8c977dd9b19d907a7cf349

SHA1
e7bd8b5d047d36fa360bf2c716cffb6c258c2d84

SHA256
a643675d5d48d426f181342981830348a9e222ed3a0edba336e871e2580f68a2

SHA512
45eaf7fe0231fe03ce4e82ed55b1bcc29b0cb494adef8176e8f7bf11718fb097b78e89c4c0322d6f83d825014843b66bd9dd2d41dafcfafb31e3541bff08927e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f0f095f7cb91f54e840a58bb63e94d52

SHA1
c6dac6b735dd02db2f73d961f5040a1d9b0a0a4b

SHA256
378c2e6c0c629310a489e19684db4c05c559ab18192f12cc20efebd6e4bad4b3

SHA512
df62cdbbaf6f5f5aad0d20142db0627d1cfe8a2c7a07d901f889453c5d9bdc67c51a02d01ae2834003570e2d769644e2a1d55e06bcd86d9e59b92af40bd42fc6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
65f98518a6d5a330ca01b05d0041bb44

SHA1
703badf4239fe7fbe02bb4a5e88e9de592071c06

SHA256
acf1491bb1409243220116e9a539929dd26fe604cc5613c84bec96eb5b6b8803

SHA512
c13be968fdf45360da08abfc917fd415bed982f236f72967b2f9a8bd8c5cd9832f895f788e130a9971b42e812d2ba80e70f6fbade416bc89885f1765d2acc4a0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
616a5c0e6e6f818c0e0af530fe3617b0

SHA1
b9f2fef113b52ca2728fd399b24c7633f7c642b3

SHA256
803aa16268bfa37f9a5df6025d66439477123bf3e40ef039d1f19b8e3c05dede

SHA512
220060d68e7529fff9f2f932afc72051a462d6bd6c01ceecdd15b785b687c7632099c0e7ba36cf9fd8290da38855a89ec3a275fb1eb417767ac43192499518c7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
29bc15b85b6aac608c50353179b6bb2d

SHA1
2579e525110646f211c029e7bc09416c3ed6c1f0

SHA256
231e9a16fac795a54311f90bfa14a9b921b9513def7bf0e270233fe539cebce5

SHA512
6c01930ff5144c29bf184a8f24ad3e5f165385adf3195a4fb63ca358047cfaf51372f1e56a714c5e4803954b6118e9527e7a6a82f18a1a340fd30d13c878cb86

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fca4e16935f1b9175a29cc5930beb4bb

SHA1
c21a08db8c0349bd9b37405a778266689fd7e6b2

SHA256
40375b8d959f47fbca973c713dd2505c5d99df7d769fdeb0d161972bd0b63a99

SHA512
f89a23d7ed8f5ff0ae0b72cf40e7f4656b203bb7fe2f9b3bd89ec9b3774051ef6e595192fb185e4130745c9551344317bf8340c218953726a94557adafb5bde3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b005e2ee63d3c4f6fb9871874a7ceac6

SHA1
a968f228afb3baa3659778ec4eefca3cab9a0d90

SHA256
33b15ed845b4a97954deaef60a78a58ebcb934a9cde89126e17d62d64dabcbb8

SHA512
c8894c76c785191f915da5e8bc6d34c4ad2d44e34c8441fe87da378f721c58967b5a89c9446dea37b656e1c9dbec1e365a58e1a81e2e880be25f45d26eb4304d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7e7a48f39435780ef91dcf192cdab63e

SHA1
3139f99e5458c3510f3801933f17b415e99f9b85

SHA256
1806aed3a1187af86ceec990375ed20027499e1c739012fe6446abd6d25dc47b

SHA512
5b6dd3dadddd66869331b1153beaa01d947ed4b9b7524ed6315409d03dcadb2b30bd48405d129cf25a16a03f7461cd03d396bbd33d5c29e9ae4f75faeac468c8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
42d18f1a9061cd7bb201380ea1ea74b9

SHA1
4a39a82766418516e27c9dd7055e0f6bc45b5486

SHA256
4af0675a228b019359c5a11d7e48997e6d9003fa4eda16b8307c5fc89fbb97c2

SHA512
86c30a5a22a83b6fc51eb247c738a9471c967d2bf6bd219de2daf34e125ed388501631c687228c828d90c855ccab10ec80c3ab2eb89fa63107e1e8eedbb2f681

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
603cf13a1cc1c48bff250b4d5628e052

SHA1
cc0ce18d555570d2514cb22cc0baf473fac7cd68

SHA256
ee93a94e98fb849c4fe10f8bda4b5ab843570ae49b6130cf08c76cdfc9eade24

SHA512
0a5b4e6d24e8c9abd1ecd244618763eb5a3aba6af414d14971e77959d65237b32a0e10bf76191128aa86c7e09b1da5dbbeff608045fe7b11447162630ed47a96

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
7f20816dea5bcc8123aad4a4e833c434

SHA1
e4ac6f79aaae2fd988a39d98422375d3e7f411f3

SHA256
46acbeadb10eae3841e95b17737987085de46e74a4c0059a4417653900b5855f

SHA512
77426f6c14f6dcf2cf3efa2f6633565bb74e742c70289a77dd50df5b5179b6bccf8df9872af96072adff013aa8e077fbe05aff53a869341639972f9e1b829648

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
382f90506aaa6f835c3c9f960d2b6617

SHA1
cb894a65b9e04b7bac9a5d650926f2a91c5faeb6

SHA256
5284bcc18e457c6d1266d585b82948a0d4d848dbd3af12a7a91346c84f01324a

SHA512
f8b0ca9524801946d5a4da646d810e00b4b010b4a79b252ef233681e4810dd45ba49c438891417934db08e565870ec888cf82a3e42a8194c899faf3ace85d4d6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
59c0c7ed06cfca732c8687dd9e091b44

SHA1
dfe48c0c33bbb58e9ce65a3d88f5a7547db5ab01

SHA256
e611ab3285540c4111d136035fbd7441534d5ab236ff7341454f0a66d3e4827f

SHA512
b88eed70485e02e3cb175cc7a8f7247715439a7e57473447b9e402ffb0b96ee11872678316d356b9bc74c808eabc49e37c3c0a2171d6bccc6a17020d68f39b84

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
bed94a7bae82bf626d96b1af07cebe24

SHA1
9716a75a84b84af8ab763940da49547bff8e9810

SHA256
f6842a23bc83225f06c43121c556108d791c483a9f5fe176ef2280a713b85e6d

SHA512
20821f7ddcd7b9d3b3a112b0df4e962ae0b9ae49af96c2d373c7f846001d45d989a7e48822576febc115e0a5cb0a9b5475a70972a0970cb0410e0fa2d12f2073

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
5506cab430079223fb6f7849ced24c98

SHA1
e7884c0cabeb95550171f392dc716d2ba1533615

SHA256
6a0e5da88a4817c3ab0f5c550ae8fea7b104d2a92b304a72199a188efc376872

SHA512
6b3183c2fd3f3383d2fa133b5f0ec2a64cb35089854ba2017bfab86bd5bde7255e4eb37c9b22665775cd0519f05bebcc10b63de2cb5afa0bf40b7e66f5824b47

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4cf6e35e1b22f1f92f004f5e4c0e7dac

SHA1
b8a293bda3704050f3710f83eea778fc94e99da4

SHA256
7a25c6e017621c4cceeb11e745c8360530fb46965de8b86f180bf1ae08b027eb

SHA512
60747285a72a04b93f673e2523b0acf1de4044f4453d1574a1641de437d7d3b7387f86a9de2ba7c942c4bd481d34fb8a2226195a2d52812dba31aad973e81fec

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0a352d5e59946cee7eede9c2944de006

SHA1
fd51924f6beb85e8034ceded294654e5cc201dd6

SHA256
fd1d1fbde4ab622df6246cc29c788011256812f13c4c6b69293b44b28b89055a

SHA512
750acaa564894306c1871ffcfa2b3337abce38a6f1b2db5367206a2cce78ec933144659fb67c3a76a5291d774b9d27c2996cf533f2a9a9c2722e63a93f392f82

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
59f27d0827cce88ea6a73df0b08b0c5f

SHA1
ceffcbf0db39db57267fe645e4779c1aa8754e00

SHA256
6895b036f6765ff2155002ad03be33075a92281ef2163f8bf411548437ace247

SHA512
7f3418ce4c3ee32fe1ab4397b55146810736e7a85877afe0e597ac3fc0b3484a23cf44253cf664560659bc72ac2a6bbd716eddf79d61f76effacea7353658742

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
13d8ed704392e9f61e5eb7f97d075185

SHA1
b2504681b56ab09f2bcb191821e8db29035ab239

SHA256
86f8ea5ab57ffd9801d206aed98dee350eacd43d791bbc1f767c39d8e38b32dc

SHA512
190f521c6e27e6b011563fe90ed2b3175f8de013a221fcf1524d0d07dc8a8dedc7c1913fa946e1c419e812d321a8fdbc7e41fd2e4330990a035b3c2cd5bf5d63

Download Submit
memory/868-328-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/868-164-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/916-112-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/916-19-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/916-20-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/916-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/916-12-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1696-53-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1696-59-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1696-238-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1696-61-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1788-81-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/1788-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1788-87-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/1788-75-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/1788-89-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2032-161-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2180-257-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2180-435-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2296-91-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2296-92-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2296-324-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2768-160-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2800-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2800-49-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2800-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2800-39-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2800-47-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2948-384-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2948-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2976-35-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2976-26-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2976-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2976-209-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3248-199-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3248-330-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3416-113-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3528-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3528-433-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4012-271-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4012-436-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4136-162-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4308-71-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4308-256-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4308-65-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4308-64-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4408-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4408-367-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4552-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4552-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4628-198-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4804-197-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4804-329-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4948-163-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4948-327-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4968-83-0x0000000000400000-0x000000000085A000-memory.dmp

Filesize
4.4MB

Download
memory/4968-0-0x00000000026B0000-0x0000000002717000-memory.dmp

Filesize
412KB

Download
memory/4968-7-0x0000000000400000-0x000000000085A000-memory.dmp

Filesize
4.4MB

Download
memory/4968-8-0x00000000026B0000-0x0000000002717000-memory.dmp

Filesize
412KB

Download